By readapting the safetydump rust library (many thanks to the author!!!), I have been able to EASILY bypass all the countermeasures put in place by most EDRs, except Kaspersky EDR, and TrendMicro (new detection, from a couple hours ago)
dbghelp!MiniDumpWriteDump with a custom callback could be used, until a year ago, to bypass most antivirus and EDR solutions.
Now, most of them EASILY recognize statically or behaviorally the system API usage pattern for programs written in languages such as C++, Delphi, and C#. (it could be possible anyway thanks to undocumented NtOpenProcessEx but that’s another story.)
If you have a Go implementation, please give me feedback. I’m on it but still have some bugs related to memory size
I suspect that there is still no way to monitor the MiniDumpWriteDump callback, and all the protection against a possible credential dump via this technique is then entrusted to machine learning detections.
Usage
GUI
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiOuHm1FH1FdLvOx0-EYPEpKENkw-fRUccLdjqq-mZSNCaFPewpj6y5sCMUh4Uut5Z9qu1rvtyGQb10BoQiZFE15q7fU8wcHi1xNSHMyEEtrYSDjO5cRClcMt7n67Knu3NT5xFk9UzAhrdK_yAvg5QjI1UVa2HgVA-c_OdTPvUYUtnmNI9zXrmNeLHlHnH/s16000/QQ.webp)
CMD
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9_jKtNoZbQnYGLLjK7SokTxfkeZ-m3JDBREzeQ3z7SaKwn7kFKrt7rkeLDYTamIOKeiMxO8ufIH9ORxql7pVwireIBChy3OHswdKlzZdsjH1jgAAL0gzx8Sb2RzVs-sEXY9-AZhbXy_-YdyA8zOL8MjQ0AXLHtjn5iB56mHGOZTl0z334y8LKPkPJz7ud/s16000/SF.webp)
DECRYPT
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgebfPvRuskfhFSwQqYg3c1tcVFnextnBWfsqkl8DhEA3qkhttmNbHzqSH-keoLyW9DC-QHvgwybAoJZDrAqDs0PiDpwGEyZghsshqxPjHeiS-K-ufwdX_235g0fQr__FRyt8rHhW7roxeQX1fyZ47i26skmtKJDhzWG8P0mIAptQR2uMro60CLDd8-apEi/s16000/FGH.webp)
Disclaimer
I am not responsible for any improper use of this tool. This is meant for research and security testing purposes.